Using Nagios to Detect Network Sniffers

Normally, you wouldn't want to have your servers' network interfaces running in promiscuous mode. If a
network interface does go into promiscuous mode without a known reason, it could indicate that someone
has planted some sort of sniffer or back door on your system.

One way to detect this condition is to run a "netstat -i" command on the server in question. If a "P" shows
up in the status column, then the card is running promiscuously. But, the problem with this is that we're
depending upon a program that might have been replaced with a trojaned version. (A trojaned version of
netstat might not let you see the true status of the network interface.) It would be better if we could monitor
for this condition from an external source.

Installing nmap
We've written this plug-in to take advantage of the scripting capabilities that are built in with the newest versions of
nmap. We can use the included "sniffer-detect.nse" script to build our plug-in. You'll need to compile nmap yourself,
because the old version of nmap that's in the rpmforge repository doesn't have scripting capabilities.
On the Nagios server, download the latest version of nmap from here:
http://nmap.org/download.html
At the time of this writing, the current version is 6.01, and the file that you want to download is "nmap-6.01.tar.bz2".
(Be sure to check for the latest version.)
Untar this file, and cd into the resultant directory. Then, compile and install with the standard commands:
./configure
make
sudo make install
Note that during the "./configure" step, you may get a warning about a missing "libsvn1" library. Don't let that concern
you, because you won't need it. (Besides, there doesn't seem to be one available for CentOS.)
Configure "sudo"
To detect promiscuous mode, you'll need to run the nmap script with root privileges. Open "visudo", and give the nagios
user root privileges for the nmap executable. Your configuration can look something like this:
User_Alias NAGIOS = nagios,nagiocmd
Cmnd_Alias NAGIOSCOM = /sbin/service,/etc/rc.d/init.d/httpd,/usr/local/nagios/libexec/check_log,/usr/local/bin/nmap
Defaults:NAGIOS !requiretty
NAGIOS ALL=(ALL) NOPASSWD: NAGIOSCOM
Note that we've also given the nagios user root privileges for other things, as well. You can leave those other things
out if you don't need them.
Creating the Plug-in Script
In the Nagios plug-ins directory, create the "check_promiscuous.sh" script.
#!/bin/bash
hostaddress=$1
promisc=$(sudo /usr/local/bin/nmap --script=sniffer-detect.nse $hostaddress | grep 'promiscuous' | wc -l)
if [ $promisc -gt 0 ]
then
echo "WARNING: This interface may be in promiscuous mode."
else
echo "This interface does not seem to be in promiscuous mode."
fi
exit $promisc
Ensure that the "nagios" user owns the file, and set the executable permission for the user.
Configuring the Nagios Server
Create the host definition in the standard manner:
define host {
host_name Debian-5
alias Debian-vm-nrpe
address 192.168.0.60
parents cisco_business_switch
use linux-server
register 1
}
The command definition would look something like this:
define command {
command_name check_promiscuous
command_line $USER1$/check_promiscuous.sh $HOSTADDRESS$
register 1
}
(Note that there's no "-H" option switch for the host address.)
Finally, the service definition:
define service {
host_name Debian-5
service_description Check Promiscuous Mode
use generic-service
check_command check_promiscuous
register 1
}
Testing
After reloading the Nagios daemon, you should see the status of the target host.
To test it, do something that would cause the interface on the target host to enter promiscuous mode.
(This could include starting up a virtual machine, starting Wireshark, etc.) This should cause an alarm to be generated.
Note that this plug-in has been successfully tested against both Linux and Windows hosts.
A Caveat
It's important to note that this plug-in will give you false alarms under certain circumstances. If you run this against
a host that either has virtual IP addresses on an interface, or that's hosting a virtualized environment, this plug-in will
show it as being in promiscuous mode.